Full Report
Table of Contents Introduction Infection Chain Technical Analysis Conclusion Seqrite Coverage Indicators of Compromise (IOCs) MITRE ATT&CK Mapping Introduction The Seqrite Threat Research Team identified a targeted spear-phishing campaign disguised as a legitimate business invoice. The phishing email impersonates a legitimate Russian research institute associated with aerospace and aviation systems and is delivered using a spoofed domain […] The post From Invoice to AnyDesk: Uncovering a Phishing Campaign Targeting Russian Aerospace Organizations appeared first on Seqrite Labs.
Analysis Summary
# Incident Report: Phishing Campaign Targeting Russian Aerospace Organizations
## Executive Summary
The Seqrite Threat Research Team identified a targeted spear-phishing campaign attributed to the "Rare Werewolf" (Librarian Ghouls) threat actor group. The attack utilizes aerospace-themed lures to deliver a multi-stage infection chain that ultimately deploys AnyDesk for persistent remote access. The primary objective is the exfiltration of system configuration data and long-term surveillance of strategically important Russian entities.
## Incident Details
- **Discovery Date:** July 7, 2026 (Report Date)
- **Incident Date:** June - July 2026
- **Affected Organization:** Multiple (targeted mimicry of Federal Budgetary Institution “VNIIR”)
- **Sector:** Aerospace, Aviation, Defense, and Industrial Manufacturing
- **Geography:** Russia, Belarus, and Kazakhstan
## Timeline of Events
### Initial Access
- **Date/Time:** June/July 2026
- **Vector:** Spear-phishing email.
- **Details:** Emails sent from a spoofed domain (`sales@vniir-avia[.]space`) using business invoice lures. The email contained a password-protected RAR archive (`счет на оплату.rar`) to bypass security scanners.
### Lateral Movement
- **Details:** The report highlights the deployment of AnyDesk for unattended access. While specific lateral movement steps within a single network weren't detailed, the automation of AnyDesk suggests the intent to pivot or maintain long-term control over multiple endpoints.
### Data Exfiltration/Impact
- **Details:** The malware utilizes the **Blat** utility to exfiltrate AnyDesk configuration files (specifically `system.conf` and `ad.conf`) to an attacker-controlled email address. This allows the attacker to clone the identity of the compromised machine and connect via AnyDesk without user interaction.
### Detection & Response
- **How it was discovered:** Research by Seqrite Labs identifying suspicious activity from freshly registered ".space" domains and Smart Install Maker packages.
- **Response actions taken:** Threat hunting for associated IOCs and implementation of detection signatures for the AnyDesk dropper and associated scripts.
## Attack Methodology
- **Initial Access:** Spear-phishing attachment (Password-protected RAR).
- **Persistence:** Creation of Scheduled Tasks and use of Smart Install Maker to drop files in `C:\temp\ChromioumTemp`.
- **Privilege Escalation:** Not explicitly detailed, but relies on administrative execution of the installer.
- **Defense Evasion:**
- Password-protected archives to defeat automated analysis.
- Living-off-the-Land (LotL) techniques (using legitimate tools like AnyDesk, WinRAR, and Curl).
- Use of **Tray Minimizer** to hide the AnyDesk UI from the victim.
- Deployment via Smart Install Maker to blend with legitimate software installations.
- **Credential Access:** Theft of AnyDesk configuration files for unattended remote access.
- **Discovery:** Identifying system details to facilitate remote connection.
- **Collection:** Archiving configuration data using WinRAR.
- **Exfiltration:** Over SMTP using the Blat command-line tool.
- **Impact:** Remote command execution and potential post-compromise deployment of XMRig miners.
## Impact Assessment
- **Financial:** Potential for future loss via cryptojacking; cost of incident response.
- **Data Breach:** Theft of remote access credentials and system configuration data.
- **Operational:** High; threat actors gain full remote desktop control over sensitive aerospace research systems.
- **Reputational:** Mimicry of government institutions (VNIIR) and the Ministry of Industry and Trade.
## Indicators of Compromise
- **Network Indicators:**
- `vniir-avia[.]space`
- `aviatronika[.]online`
- `fgub-vniir[.]space`
- `nova-stream[.]site`
- `198.54.120[.]13`
- `194.87.57[.]81`
- **File Indicators (SHA256):**
- `47854deb456cb08c651b7f9ae2f9d87c72d0719de6af233340632efb3c1980f4`
- `12648cd9d425f78db2dbc6e03c14f11e6ac6aadf8b3975c23cce9519e2b58d33`
- **Behavioral Indicators:** Unexpected execution of `curl.exe` to download files to temp directories; unauthorized SMTP traffic from non-mail applications; AnyDesk service running with "unattended access" enabled without IT authorization.
## Response Actions
- **Containment:** Blocked identified C2 domains and IP addresses.
- **Eradication:** Terminated unauthorized AnyDesk sessions and deleted malicious temp folders.
- **Recovery:** Resetting AnyDesk IDs and credentials on compromised hosts.
## Lessons Learned
- **Domain Trust:** Threat actors are successfully leveraging niche TLDs (like `.space` and `.site`) to impersonate official government entities.
- **Tool Abuse:** Legitimate remote management tools (AnyDesk) remain a primary choice for LotL actors due to their ability to bypass traditional antivirus signatures.
- **User Training:** Success relied on the user manually entering a password provided in an email body.
## Recommendations
- **Technical:**
- Implement application whitelisting to prevent unauthorized Remote Access Tools (RATs).
- Block or monitor the use of "Living-off-the-Land" binaries like `curl.exe` and `blat.exe` if not required for business roles.
- Enhance email security filters to flag password-protected archives containing executables.
- **Administrative:**
- Conduct specialized phishing simulations for employees in high-value sectors (aerospace/R&D).
- Enforce a policy for approved remote support tools and monitor for shadow IT versions of AnyDesk or TeamViewer.